[BUG]: Spending limit detection is too loose

[akirilov]

Describe the bug

The inclusion of the word "reset" in the spending limit check can easily trigger on keywords included in normal LLM pentest responses (e.g. "password reset"). This should be removed.

The other checks could also conceivably trigger, so there should be a flag to disable the pattern-matching spending guard when the user expects the test might trigger it incorrectly

Steps to reproduce

Run the test against something with a reset functionality. I'm genuinely surprised this didn't trigger against fruit shop since it has a password reset issue.

Expected behaviour

General words often seen in pentests, such as "reset" are not included in the billing pattern matching. Furthermore, users have some way to disabling the blind pattern matching.

Actual behaviour

See expected behavior (sorry this is a very small issue)

Pre-submission checklist (required)

• I have searched the existing open issues and confirmed this bug has not already been reported.
• I am running the latest released version of shannon.

If applicable

• I have included relevant error messages, stack traces, or failure details.
• I have checked the audit logs and pasted the relevant errors.
• I have inspected the failed Temporal workflow run and included the failure reason.
• I have included clear steps to reproduce the issue.
• I have redacted any sensitive information (tokens, URLs, repo names).

Debugging details

No response

Screenshots

No response

Authentication method used

CLAUDE_CODE_OAUTH_TOKEN

Full ./shannon command with all flags used (with redactions)

./shannon start -u http://host.docker.internal:8000 -r ../juice-shop

Are you using any experimental models or providers other than default Anthropic models?

No

If Yes, which one (model/provider)?

No response

OS (with version)

macOS 26.3.1

Docker version ('docker -v')

Docker version 29.2.1, build a5c7197

Additional context

Because the Claude SDK does not provide support for custom Bedrock providers (only AWS) and my use case requires a custom (likely proxied) AWS provider URL, I had to create and adapter to adapt the Bedrock API to the Claude API format and use the custom Claude API provider instead. This is almost certainly not causing the issue since it's a simple issue with pattern matching on response text, but I figured it's worth mentioning.

[ariapalmer1231-png]

Thanks for taking the time to report this — you’ve raised a very valid point. Le mar. 31 mar. 2026, 02:13, akirilov ***@***.***> a écrit :

…

*akirilov* created an issue (KeygraphHQ/shannon#263) <#263> Describe the bug The inclusion of the word "reset" in the spending limit check can easily trigger on keywords included in normal LLM pentest responses (e.g. "password reset"). This should be removed. The other checks could also conceivably trigger, so there should be a flag to disable the pattern-matching spending guard when the user expects the test might trigger it incorrectly Steps to reproduce Run the test against something with a reset functionality. I'm genuinely surprised this didn't trigger against fruit shop since it has a password reset issue. Expected behaviour General words often seen in pentests, such as "reset" are not included in the billing pattern matching. Furthermore, users have some way to disabling the blind pattern matching. Actual behaviour See expected behavior (sorry this is a very small issue) Pre-submission checklist (required) - I have searched the existing open issues and confirmed this bug has not already been reported. - I am running the latest released version of shannon. If applicable - I have included relevant error messages, stack traces, or failure details. - I have checked the audit logs and pasted the relevant errors. - I have inspected the failed Temporal workflow run and included the failure reason. - I have included clear steps to reproduce the issue. - I have redacted any sensitive information (tokens, URLs, repo names). Debugging details *No response* Screenshots *No response* Authentication method used CLAUDE_CODE_OAUTH_TOKEN Full ./shannon command with all flags used (with redactions) ./shannon start -u http://host.docker.internal:8000 -r ../juice-shop Are you using any experimental models or providers other than default Anthropic models? No If Yes, which one (model/provider)? *No response* OS (with version) macOS 26.3.1 Docker version ('docker -v') Docker version 29.2.1, build a5c7197 Additional context Because the Claude SDK does not provide support for custom Bedrock providers (only AWS) and my use case requires a custom (likely proxied) AWS provider URL, I had to create and adapter to adapt the Bedrock API to the Claude API format and use the custom Claude API provider instead. This is almost certainly not causing the issue since it's a simple issue with pattern matching on response text, but I figured it's worth mentioning. — Reply to this email directly, view it on GitHub <#263?email_source=notifications&email_token=CAYBNVJ5RLEA7PB2RXLORQD4TNVYLA5CNFSL4Z3JMQ5C6L3HNF2C22DVMIXUS43TOVSS6NBRG43DKNZVG4YTTJTSMVQXG33OVJZXKYTTMNZGSYTFMSSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/CAYBNVOXO5DX56R5C5RVYU34TNVYLAVCNFSM6AAAAACXHIV2BWVHI2DSMVQWIX3LMV43ASLTON2WKOZUGE3TMNJXGU3TCOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[akirilov]

I can't submit my PR because of my work restrictions but I'm currently doing something like this, I hope it's useful:

commit e27928752d13f7dee162d9748ade0ebd0d513c52
Author: Nas Kirilov <nas.kirilov@woven-planet.global>
Date:   Tue Mar 31 15:56:37 2026 +0900

    Remove 'reset' keyword and add flag to disable spending guard

diff --git a/apps/worker/src/utils/billing-detection.ts b/apps/worker/src/utils/billing-detection.ts
index 6f25c72..25b528f 100644
--- a/apps/worker/src/utils/billing-detection.ts
+++ b/apps/worker/src/utils/billing-detection.ts
@@ -26,7 +26,6 @@ export const BILLING_TEXT_PATTERNS = [
   'cap reached',
   'budget exceeded',
   'usage limit',
-  'resets',
 ] as const;
 
 /**
@@ -50,8 +49,10 @@ export const BILLING_API_PATTERNS = [
 /**
  * Checks if text matches any billing text pattern.
  * Used for sniffing SDK output content for spending cap messages.
+ * Disabled when SHANNON_DISABLE_SPENDING_GUARD=1.
  */
 export function matchesBillingTextPattern(text: string): boolean {
+  if (process.env.SHANNON_DISABLE_SPENDING_GUARD === '1') return false;
   const lowerText = text.toLowerCase();
   return BILLING_TEXT_PATTERNS.some((pattern) => lowerText.includes(pattern));
 }
@@ -82,6 +83,8 @@ export function matchesBillingApiPattern(message: string): boolean {
  * @returns true if this looks like a spending cap hit
  */
 export function isSpendingCapBehavior(turns: number, cost: number, resultText: string): boolean {
+  if (process.env.SHANNON_DISABLE_SPENDING_GUARD === '1') return false;
+
   // Only check if turns <= 2 AND cost is exactly 0
   if (turns > 2 || cost !== 0) {
     return false;

[Karen86Tonoyan]

To jest sensowny issue i ten commit wygląda prawie dobrze, ale dorzuciłbym 3 poprawki, żeby to było enterprise, a nie tylko szybki hotfix. Co jest trafione reset/resets w takim guardzie to zły pattern, bo w pentestach pojawia się naturalnie: password reset reset token reset flow Więc user ma rację: to daje false positive. Też sensowne jest dodanie flagi typu: SHANNON_DISABLE_SPENDING_GUARD=1 bo są testy, gdzie ślepe pattern matching naprawdę będzie przeszkadzać. Co bym poprawił w proponowanym fixie 1. Usuń oba warianty, nie tylko resets Jeśli w kodzie gdziekolwiek siedzi też reset, to wywalić oba. Nie można zostawić singla i wyjąć tylko plural. 2. Flaga env jest dobra, ale lepiej dodać też CLI flag Nie każdy chce grzebać w env. Lepiej mieć:

…

--disable-spending-guard i opcjonalnie env jako fallback To daje: czytelność łatwiejsze odtwarzanie lepsze użycie w CI 3. Guard nie powinien opierać się tylko na substringach To jest główny problem architektoniczny. Lepsza kolejność: 1. API/provider signals 2. structured errors 3. dopiero na końcu text patterns Bo teraz zwykły tekst LLM może Ci odpalić logikę billingową przez przypadek. Jakbym to ustawił Nie jako „remove one bad word”, tylko: export const BILLING_TEXT_PATTERNS = [ 'spending limit', 'billing limit', 'usage limit exceeded', 'budget exceeded', 'cap reached', ] as const; Czyli: tylko bardziej jednoznaczne frazy bez ogólnych słów I do tego: export function isSpendingGuardDisabled(): boolean { return process.env.SHANNON_DISABLE_SPENDING_GUARD === '1'; } Potem używać jednej funkcji, zamiast powtarzać warunek w kilku miejscach. Jeszcze jedna ważna rzecz Ten warunek: if (turns > 2 || cost !== 0) return false; jest ok jako heurystyka, ale dalej krucha. Bo jeżeli provider zmieni raportowanie kosztu albo zwróci 0 przy innym błędzie, guard dalej może łapać śmieci. Czyli docelowo: billing detection powinno być oddzielone od generic failure detection Mój werdykt Issue: valid Proponowany commit: dobry kierunek Docelowy fix: usunąć ogólne patterny + dodać disable flag + preferować provider/API signals nad substring matching Jeśli chcesz, mogę Ci z tego od razu zrobić: krótki komentarz maintainera na GitHub, albo gotowy patch/PR description po angielsku. wt., 31 mar 2026, 15:01 użytkownik akirilov ***@***.***> napisał:

*akirilov* left a comment (KeygraphHQ/shannon#263) <#263 (comment)> I can't submit my PR because of my work restrictions but I'm currently doing something like this, I hope it's useful: commit e27928752d13f7dee162d9748ade0ebd0d513c52 Author: Nas Kirilov ***@***.***> Date: Tue Mar 31 15:56:37 2026 +0900 Remove 'reset' keyword and add flag to disable spending guard diff --git a/apps/worker/src/utils/billing-detection.ts b/apps/worker/src/utils/billing-detection.ts index 6f25c72..25b528f 100644 --- a/apps/worker/src/utils/billing-detection.ts +++ b/apps/worker/src/utils/billing-detection.ts @@ -26,7 +26,6 @@ export const BILLING_TEXT_PATTERNS = [ 'cap reached', 'budget exceeded', 'usage limit', - 'resets', ] as const; /** @@ -50,8 +49,10 @@ export const BILLING_API_PATTERNS = [ /** * Checks if text matches any billing text pattern. * Used for sniffing SDK output content for spending cap messages. + * Disabled when SHANNON_DISABLE_SPENDING_GUARD=1. */ export function matchesBillingTextPattern(text: string): boolean { + if (process.env.SHANNON_DISABLE_SPENDING_GUARD === '1') return false; const lowerText = text.toLowerCase(); return BILLING_TEXT_PATTERNS.some((pattern) => lowerText.includes(pattern)); } @@ -82,6 +83,8 @@ export function matchesBillingApiPattern(message: string): boolean { * @returns true if this looks like a spending cap hit */ export function isSpendingCapBehavior(turns: number, cost: number, resultText: string): boolean { + if (process.env.SHANNON_DISABLE_SPENDING_GUARD === '1') return false; + // Only check if turns <= 2 AND cost is exactly 0 if (turns > 2 || cost !== 0) { return false; — Reply to this email directly, view it on GitHub <#263?email_source=notifications&email_token=BUHB4E747H6KNVLOFW5UJFL4TO6SXA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJWGI2DQMBZGA3KM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4162480906>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BUHB4E3ZTIL6MXNQEFXYSTL4TO6SXAVCNFSM6AAAAACXHIV2BWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNRSGQ4DAOJQGY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[kevinward1231-ai]

Thanks for the detailed feedback and the structural suggestions.

…

On Tue, Mar 31, 2026, 3:29 PM Karentonoyan ***@***.***> wrote: *Karen86Tonoyan* left a comment (KeygraphHQ/shannon#263) <#263 (comment)> To jest sensowny issue i ten commit wygląda prawie dobrze, ale dorzuciłbym 3 poprawki, żeby to było enterprise, a nie tylko szybki hotfix. Co jest trafione reset/resets w takim guardzie to zły pattern, bo w pentestach pojawia się naturalnie: password reset reset token reset flow Więc user ma rację: to daje false positive. Też sensowne jest dodanie flagi typu: SHANNON_DISABLE_SPENDING_GUARD=1 bo są testy, gdzie ślepe pattern matching naprawdę będzie przeszkadzać. Co bym poprawił w proponowanym fixie 1. Usuń oba warianty, nie tylko resets Jeśli w kodzie gdziekolwiek siedzi też reset, to wywalić oba. Nie można zostawić singla i wyjąć tylko plural. 2. Flaga env jest dobra, ale lepiej dodać też CLI flag Nie każdy chce grzebać w env. Lepiej mieć: --disable-spending-guard i opcjonalnie env jako fallback To daje: czytelność łatwiejsze odtwarzanie lepsze użycie w CI 3. Guard nie powinien opierać się tylko na substringach To jest główny problem architektoniczny. Lepsza kolejność: 1. API/provider signals 2. structured errors 3. dopiero na końcu text patterns Bo teraz zwykły tekst LLM może Ci odpalić logikę billingową przez przypadek. Jakbym to ustawił Nie jako „remove one bad word”, tylko: export const BILLING_TEXT_PATTERNS = [ 'spending limit', 'billing limit', 'usage limit exceeded', 'budget exceeded', 'cap reached', ] as const; Czyli: tylko bardziej jednoznaczne frazy bez ogólnych słów I do tego: export function isSpendingGuardDisabled(): boolean { return process.env.SHANNON_DISABLE_SPENDING_GUARD === '1'; } Potem używać jednej funkcji, zamiast powtarzać warunek w kilku miejscach. Jeszcze jedna ważna rzecz Ten warunek: if (turns > 2 || cost !== 0) return false; jest ok jako heurystyka, ale dalej krucha. Bo jeżeli provider zmieni raportowanie kosztu albo zwróci 0 przy innym błędzie, guard dalej może łapać śmieci. Czyli docelowo: billing detection powinno być oddzielone od generic failure detection Mój werdykt Issue: valid Proponowany commit: dobry kierunek Docelowy fix: usunąć ogólne patterny + dodać disable flag + preferować provider/API signals nad substring matching Jeśli chcesz, mogę Ci z tego od razu zrobić: krótki komentarz maintainera na GitHub, albo gotowy patch/PR description po angielsku. wt., 31 mar 2026, 15:01 użytkownik akirilov ***@***.***> napisał: > *akirilov* left a comment (KeygraphHQ/shannon#263) > < #263 (comment)> > > I can't submit my PR because of my work restrictions but I'm currently > doing something like this, I hope it's useful: > > commit e27928752d13f7dee162d9748ade0ebd0d513c52 > Author: Nas Kirilov ***@***.***> > Date: Tue Mar 31 15:56:37 2026 +0900 > > Remove 'reset' keyword and add flag to disable spending guard > > diff --git a/apps/worker/src/utils/billing-detection.ts b/apps/worker/src/utils/billing-detection.ts > index 6f25c72..25b528f 100644 > --- a/apps/worker/src/utils/billing-detection.ts > +++ b/apps/worker/src/utils/billing-detection.ts > @@ -26,7 +26,6 @@ export const BILLING_TEXT_PATTERNS = [ > 'cap reached', > 'budget exceeded', > 'usage limit', > - 'resets', > ] as const; > > /** > @@ -50,8 +49,10 @@ export const BILLING_API_PATTERNS = [ > /** > * Checks if text matches any billing text pattern. > * Used for sniffing SDK output content for spending cap messages. > + * Disabled when SHANNON_DISABLE_SPENDING_GUARD=1. > */ > export function matchesBillingTextPattern(text: string): boolean { > + if (process.env.SHANNON_DISABLE_SPENDING_GUARD === '1') return false; > const lowerText = text.toLowerCase(); > return BILLING_TEXT_PATTERNS.some((pattern) => lowerText.includes(pattern)); > } > @@ -82,6 +83,8 @@ export function matchesBillingApiPattern(message: string): boolean { > * @returns true if this looks like a spending cap hit > */ > export function isSpendingCapBehavior(turns: number, cost: number, resultText: string): boolean { > + if (process.env.SHANNON_DISABLE_SPENDING_GUARD === '1') return false; > + > // Only check if turns <= 2 AND cost is exactly 0 > if (turns > 2 || cost !== 0) { > return false; > > — > Reply to this email directly, view it on GitHub > < #263?email_source=notifications&email_token=BUHB4E747H6KNVLOFW5UJFL4TO6SXA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJWGI2DQMBZGA3KM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4162480906>, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/BUHB4E3ZTIL6MXNQEFXYSTL4TO6SXAVCNFSM6AAAAACXHIV2BWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNRSGQ4DAOJQGY> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> > — Reply to this email directly, view it on GitHub <#263?email_source=notifications&email_token=CAYAHXJOV4SR2EYW5PTY6WL4TPI3VA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJWGMYDOMBVHAY2M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4163070581>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/CAYAHXNKXT3DRZDQ4EUJ7TD4TPI3VAVCNFSM6AAAAACXHIV2BWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCNRTGA3TANJYGE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>